The design decisions determine the deployment configuration to support the Cloud-Based Automation for VMware Cloud Foundation validated solution.

Deployment Specification

Table 1. Design Decisions for Deployment of the Cloud Proxy Appliance

Decision ID

Design Decision

Design Justification

Design Implication

CBA-CDP-CFG-001

Deploy the Cloud Proxy appliance in the default management vSphere cluster.

Required to establish secure communication between the VMware Cloud Foundation instance and VMware Aria Automation Assembler.

The Cloud Proxy must be able to connect to the internet through a firewall.

CBA-CDP-CFG-002

Protect the Cloud Proxy appliance by using vSphere High Availability.

Supports the availability objective without requiring manual intervention during an ESXi host failure.

None.

CBA-CDP-CFG-003

Place the Cloud Proxy appliance in a designated virtual machine folder.

Provides organization of the appliances in the management domain vSphere inventory.

You must create the virtual machine folder during deployment.

Table 2. Design Decisions for Deployment of the Cloud Proxy Appliance in Multiple Availability Zones

Decision ID

Design Decision

Design Justification

Design Implication

CBA-CDP-CFG-004

When using two availability zones, add the Cloud Proxy appliance to the VM group of the first availability zone.

Ensures that the Cloud Proxy appliance runs in the primary availability zone hosts group.

After the implementation of the second availability zone for the management domain, you must update the VM group for the primary availability zone virtual machines to include the Cloud Proxy appliance.

Table 3. Design Decisions for Deployment of the Cloud Extensibility Proxy Appliance

Decision ID

Design Decision

Design Justification

Design Implication

CBA-CEP-CFG-001

Deploy the Cloud Extensibility Proxy appliance in the default management vSphere cluster.

Required to establish secure communication between the on-premise VMware Aria Automation Orchestrator and VMware Aria Automation Assembler.

The Cloud Extensibility Proxy must be able to communicate out to the internet through a corporate firewall.

CBA-CEP-CFG-002

Protect the Cloud Extensibility Proxy appliance by using vSphere High Availability.

Supports the availability objective without requiring manual intervention during an ESXi host failure.

None.

CBA-CEP-CFG-003

Place the Cloud Extensibility Proxy appliance in a designated virtual machine folder.

Provides organization of the appliances in the management domain vSphere inventory.

You must create the virtual machine folder during deployment.

Table 4. Design Decisions for Deployment of the Cloud Extensibility Proxy Appliance in Multiple Availability Zones

Decision ID

Design Decision

Design Justification

Design Implication

CBA-CEP-CFG-004

When using two availability zones, add the Cloud Extensibility Proxy appliance to the VM group of the first availability zone.

Ensures that the Cloud Extensibility Proxy appliance runs in the primary availability zone hosts group.

After the implementation of the second availability zone for the management domain, you must update the VM group for the primary availability zone virtual machines to include the Cloud Extensibility Proxy appliance.

Network Design

Table 5. Design Decisions on Network Segments

Decision ID

Design Decision

Design Justification

Design Implication

CBA-CDP-NET-001

Place the Cloud Proxy appliance on the management VLAN.

  • Places the Cloud Proxy on the same network as the VMware Cloud Foundation components that the appliance must communicate with.

  • Provides a consistent deployment model for VMware Cloud services.

None.

CBA-CEP-NET-001

Place the Cloud Extensibility Proxy appliance on the management VLAN.

  • Places the Cloud Extensibility Proxy on the same network as the VMware Cloud Foundation components that the appliance must communicate with.

  • Provides a consistent deployment model VMware Cloud services.

None.

Table 6. Design Decisions on IP Addressing

Decision ID

Design Decision

Design Justification

Design Implication

CBA-CDP-NET-002

Allocate statically assigned IP addresses from the management VLAN to the Cloud Proxy appliance.

Using statically assigned IP addresses ensures stability of the deployment and simplifies maintenance and tracking.

Requires precise IP address management.

CBA-CEP-NET-002

Allocate statically assigned IP addresses from the management VLAN to the Cloud Extensibility Proxy appliance.

Using statically assigned IP addresses ensures stability of the deployment and simplifies maintenance and tracking.

Requires precise IP address management.

Table 7. Design Decisions on Name Resolution

Decision ID

Design Decision

Design Justification

Design Implication

CBA-CDP-NET-003

Configure forward and reverse DNS records for the Cloud Proxy appliance IP address.

Ensures the appliance is accessible by using a fully qualified domain name instead of using IP addresses only.

  • You must provide a DNS record for the appliance IP address.

  • Firewalls between the appliance and the DNS servers must allow DNS traffic.

CBA-CDP-NET-004

Configure DNS servers on the Cloud Proxy appliance.

Ensures the appliance has accurate name resolution.

  • DNS infrastructure services should be highly-available in the environment.

  • Firewalls between the appliance and the DNS servers must allow DNS traffic.

  • You must provide two or more DNS servers unless a DNS geographic load balancing is active.

CBA-CEP-NET-003

Configure forward and reverse DNS records for the Cloud Extensibility Proxy appliance IP address.

Ensures the appliance is accessible by using a fully qualified domain name instead of using IP addresses only.

  • You must provide a DNS record for the appliance IP address.

  • Firewalls between the appliance and the DNS servers must allow DNS traffic.

CBA-CEP-NET-004

Configure DNS servers on the Cloud Extensibility Proxy appliance.

Ensures the appliance has accurate name resolution.

  • DNS infrastructure services should be highly-available in the environment.

  • Firewalls between the appliance and the DNS servers must allow DNS traffic.

  • You must provide two or more DNS servers unless a DNS geographic load balancing is active.

Table 8. Design Decisions on Time Synchronization

Decision ID

Design Decision

Design Justification

Design Implication

CBA-CDP-NET-005

Configure NTP servers for the Cloud Proxy appliance.

  • Ensures that the appliance has accurate time synchronization.

  • Assists in the prevention of time mismatch between the appliance and dependencies.

  • NTP infrastructure services should be highly-available in the environment.

  • Firewalls between the appliance and the NTP servers must allow NTP traffic.

  • You must provide two or more NTP servers unless an NTP geographic load balancing is active.

CBA-CEP-NET-005

Configure NTP servers for the Cloud Extensibility Proxy appliance.

  • Ensures appliance has accurate time synchronization.

  • Assists in the prevention of time mismatch between the appliance and dependencies.

  • NTP infrastructure services should be highly-available in the environment.

  • Firewalls between the appliance and the NTP servers must allow NTP traffic.

  • You must provide two or more NTP servers unless an NTP geographic load balancing is active.

Life Cycle Management

Table 9. Design Decisions on Life Cycle Management

Decision ID

Design Decision

Design Justification

Design Implication

CBA-CDP-LCM-001

Use VMware Aria Automation Assembler to apply Cloud Proxy appliance upgrades.

VMware Aria Automation Assembler provides the ability to mange the life cycle management of the Cloud Proxy appliance.

None.

CBA-CEP-LCM-001

Use VMware Aria Automation Assembler to apply Cloud Extensibility Proxy appliance upgrades.

VMware Aria Automation Assembler provides the ability to mange the life cycle management of the Cloud Extensibility Proxy appliance.

None.

VMware Aria Automation Assembler Design

Table 10. Design Decisions on Tagging for VMware Aria Automation Assembler

Decision ID

Design Decision

Design Justification

Design Implication

CBA-CA-CFG-001

Establish and publish a well-defined strategy, implementation, and taxonomy for the tagging of cloud resources.

Capability and constraint tags facilitates resource consumption by using the declarative nature of cloud templates to define deployment configurations.

Your strategy must account for external tags, for example, vSphere and NSXtags, and internal, user-defined tags, managed through VMware Aria Automation Assembler.

CBA-CA-CFG-002

Apply constraint tags to the cloud template YAML structure.

To determine the deployment configuration during a provisioning operation, capabilities are matched with constraints, each expressed as tags, in cloud templates and images.

You must manage the capability tags on your cloud resources, such as cloud zones, storage and storage profiles, networks and network profiles.

Table 11. Design Decisions on Cloud Accounts for VMware Aria Automation Assembler

Decision ID

Design Decision

Design Justification

Design Implication

CBA-CA-CFG-003

Add a vCenter Server cloud account for each VI workload domain vCenter Server instance in the VMware Cloud Foundation instance.

You integrate the vCenter Server instance for each VI workload domain with VMware Aria Automation Assembler for provisioning.

You must manage the cloud account credentials and the life cycle management of the related service accounts.

CBA-CA-CFG-004

Add an NSX-T Manager cloud account for each VI workload domain NSX Manager cluster instance in the VMware Cloud Foundation instance.

You integrate the NSX Manager cluster for each VI workload domain with VMware Aria Automation Assembler for provisioning.

You must manage the cloud account credentials and the life cycle management of the related service accounts.

Table 12. Design Decisions on Cloud Zones for VMware Aria Automation Assembler

Decision ID

Design Decision

Design Justification

Design Implication

CBA-CA-CFG-005

Create a cloud zone for each VI workload domain.

Facilitates provisioning on a specific VI workload domain.

None.

CBA-CA-CFG-006

Add tags to each cloud zone.

Ensures that deployments can be targeted to a designated cloud account region.

  • You must manage the tagging of cloud zones.

  • You must ensure that constraint tags are included in the cloud template YAML if a cloud account region-specific targeting is required.

CBA-CA-CFG-007

For each vSphere cluster added to a VI workload domain, add tags to the vSphere cluster.

  • Ensures that, as you add new vSphere clusters to a VI workload domain, you can dynamically include compute resources for workload provisioning by adding the appropriate tags.

  • Ensures that deployments can be targeted for designated clusters of the VI workload domain.

  • You must manage the tagging of compute resources as you add clusters to a VI workload domain.

  • You must ensure that constraint tags are included in the cloud template YAML.

  • If resource pools must be activated in a VI workload domain, add tags only to the required resource pools in the VI workload domain clusters for cloud zones.

CBA-CA-CFG-008

Add a workload folder in the vCenter Server instance for each VI workload domain.

Ensures that cloud templates that do not include the folderName value are deployed in a default workload folder.

  • You must add the default workload folder to all VI workload domains.

  • To override the default folder, you must add logic in your cloud template YAML code to deploy cloud templates in alternative folders.

Note:

The destination folder, where the cloud templates are deployed, must exist. VMware Aria Automation Assembler cannot create the destination folder without extensibility.

Table 13. Design Decisions on Integrations for VMware Aria Automation Assembler

Decision ID

Design Decision

Design Justification

Design Implication

CBA-CA-CFG-009

Integrate VMware Aria Automation Orchestrator to extend automation and workload life cycle management capabilities.

Facilitates extended automation and workload life cycle management capabilities.

The use of VMware Aria Automation Orchestrator integration requires the Cloud Extensibility Proxy to be deployed within your VMware Cloud Foundation instance.

CBA-CA-CFG-010

Activate the Extensibility Actions On-Prem integration.

Facilitates lightweight actions through event subscriptions without the requirement for a public cloud account provider, such as Amazon Web Services Lambda or Microsoft Azure Functions.

The use of action-based extensibility requires the Cloud Extensibility Proxy to be deployed within your VMware Cloud Foundation instance.

Table 14. Design Decisions on Projects for VMware Aria Automation Assembler

Decision ID

Design Decision

Design Justification

Design Implication

CBA-CA-CFG-011

For each project, add one or more cloud zones based on the project requirements and allowed cloud resources.

Provides one or more cloud zones and their resources for project consumption.

None.

CBA-CA-CFG-012

For each project, set a provisioning priority for each cloud zone based on your deployment prioritization.

Prioritizes one cloud zone over another within a project. The default priority is 0 (highest priority).

You must manage the provisioning priority for each cloud zone in each project.

CBA-CA-CFG-013

For each project, set limits for the project cloud zones as required.

Sets the maximum number of workload instances and resources provisioned in the cloud zone for the project. The default limit is 0 (unlimited).

If a value greater than 0 (unlimited) is used for the instance or resource limit, you must manage the limit for each cloud zone in each project when requirements change.

CBA-CA-CFG-014

For each project, specify network, storage, and extensibility constraints that must be applied to all requests in the project.

Ensures proper placement of the workloads in a project and its cloud zones.

If the same constraint or the same constraint category is specified in both the project, for example, region:us-west-1, and the cloud template, for example, region:us-east-1, the constraint specified in the project takes precedence (region:us-west-1).

CBA-CA-CFG-015

For each project, add one or more custom properties, for example, project:foo.

Custom properties can be used for provisioning or capturing additional metadata, such as for reporting or extensibility actions.

If the same custom property is specified in both the project, for example, project:foo, and the cloud template, for example, project:bar, the property value specified in the project takes precedence (project:foo).

CBA-CA-CFG-016

For each project, add a custom naming template to be used for virtual machine names provisioned in the project.

The template provides a custom virtual machine name and does not affect the host name of the virtual machine.

Note:

Custom naming can also be managed by using extensibility.

The template substitutes auto-generated virtual machine names by using available properties, such as resource properties, custom properties, endpoint properties, project properties, and a random number with a specified number of digits.

You must ensure that the template generates unique names for this project and between projects.

Table 15. Design Decisions on Flavor Mappings for VMware Aria Automation Assembler

Decision ID

Design Decision

Design Justification

Design Implication

CBA-CA-CFG-017

Create standardized flavor mappings based on a common taxonomy and deployment intent.

Provides a simple, natural language naming to define common deployment size specifications.

You must publish and communicate the updates to cloud template developers and consumers.

CBA-CA-CFG-018

For each flavor mapping, add all applicable account regions.

Provides a simple, natural language naming to define common deployment size specifications when used in a specific account region.

You must maintain the mapping for any image mapping create or update operation.

Table 16. Design Decisions on Image Mappings for VMware Aria Automation Assembler

Decision ID

Design Decision

Design Justification

Design Implication

CBA-CA-CFG-019

Use the vSphere content library to synchronize machine images across VI workload domains and VMware Cloud Foundation instances.

  • The vSphere content library is built into vSphere and meets all the requirements to synchronize machine images across VI workload domains and VMware Cloud Foundation instances.

  • VMware Aria Automation can consume both Open Virtual Format (OVF) images or virtual machine templates from the vSphere content library.

  • Open source solutions, such as HashiCorp Packer, can be use to build machine images in the virtual machine template and OVA formats.

  • The vSphere content library permissions are connected to global permissions in the permissions hierarchy. To allow VMware Aria Automation Assembler to synchronize and use images in the content library, the user and role must be applied at the global permissions level.

  • You must provide storage space for machine images.

  • You must ensure that the service account used for the cloud account for vCenter Server has the minimum required permissions to consume machine images from the vSphere content library.

  • You must ensure that the number, size, and structure of the machine images are kept within the vSphere content library configuration maximums.

  • You must ensure HTTPS communication between all VI workload domain vCenter Server instances.

  • Deployment of OVF-based machine images from the vSphere content library might be slower than cloning of native vSphere templates.

  • Deployment of VM template-based machine images from the vSphere content library might be impacted during host maintenance/failure or until ownership update and VMware Aria Automation image collection updates.

CBA-CA-CFG-020

Create standardized image mappings based on similar operating systems, functional deployment intent, and cloud zone availability.

You can create a simple taxonomy to map images to cloud templates.

You must publish and communicate the image-mapping standards and updates to cloud template developers.

CBA-CA-CFG-021

For each machine image in an image mapping, add a constraint tag, if applicable.

Refines the machine image selection in an image mapping by matching constraints.

You must manage multiple machine images in each account region based on the use of constraint tags in your organization.

Table 17. Design Decisions on Network Profiles for VMware Aria Automation Assembler

Decision ID

Design Decision

Design Justification

Design Implication

CBA-CA-CFG-022

For each account region, add one or more network profiles based on network characteristics available for consumption.

You can add networks with predefined characteristics that can be consumed during a deployment process.

You must manage network profiles for each account region across VMware Cloud Foundation instances.

CBA-CA-CFG-023

For each network in a network profile, add one or more capability tags.

You use capability tags to manage the workload network placement logic during the deployment process.

You must manage capability tagging on each network profile for workflow placement during a deployment process.

Table 18. Design Decisions on Storage Profiles for VMware Aria Automation Assembler

Decision ID

Design Decision

Design Justification

Design Implication

CBA-CA-CFG-024

For each account region, add one or more storage profiles based on storage characteristics available for consumption.

You can add storage with defined characteristics that can be consumed during a deployment process.

You must manage storage profiles for each account region as storage is added, removed, and updated across VMware Cloud Foundation instances.

CBA-CA-CFG-025

For each storage profile, add one or more capability tags.

You use capability tags to manage the workload storage placement logic during the deployment process.

You must manage capability tagging on each storage profile for the workflow placement logic during a deployment process.

VMware Aria Automation Service Broker Design

Table 19. Design Decisions on Content Sources for VMware Aria Automation Service Broker

Decision ID

Design Decision

Design Justification

Design Implication

CBA-SB-CFG-001

Add a cloud template content source for each VMware Aria Automation Assembler project where cloud templates are authored and released.

Provides the ability to share released cloud templates with project members or other projects.

None.

CBA-SB-CFG-002

Add an extensibility actions content source for each VMware Aria Automation Assembler project where actions are authored and released.

Provides the ability to share released actions with project members.

None.

CBA-SB-CFG-003

Add a VMware Aria Automation Orchestrator workflows content source for each VMware Aria Automation Assembler project.

Provides the ability to share specific VMware Aria Automation Orchestrator workflows with project members.

None.

Table 20. Design Decisions on Content Customization for VMware Aria Automation Service Broker

Decision ID

Design Decision

Design Justification

Design Implication

CBA-SB-CFG-004

For each shared content item, customize the form based on the catalog item and user experience requirements.

You can create an intuitive user experience by using simple and discoverable forms that capture additional user inputs and in-form validations.

Requires customization of request forms per catalog item.

Table 21. Design Decisions on Policies for VMware Aria Automation Service Broker

Decision ID

Design Decision

Design Justification

Design Implication

CBA-SB-CFG-005

Identify and apply goals for your organization and each project based on the applicability of available policy types.

By understanding how the policies are processed, you can meet organizational goals without creating an excessive number of policies.

For each policy type, you must determine the applicability and your organizational goals to design policy enforcement and scope that results in the desired effective policy.

VMware Aria Automation Orchestrator Design

Table 22. Design Decisions on vCenter Server Plug-In for VMware Aria Automation Orchestrator

Decision ID

Design Decision

Design Justification

Design Implication

CBA-VRO-CFG-001

Register each VI workload domain vCenter Server instance with the VMware Aria Automation Orchestrator instance.

Required for communication between VMware Aria Automation Orchestrator and the VI workload domain vCenter Server instances.

  • When VI workload domains are added or removed, you must add or remove the vCenter Server instance in VMware Aria Automation Orchestrator.

  • When the service account password changes, you must run the Update a vCenter Server instance workflow with updated credentials.

Information Security and Access Control Design

Table 23. Design Decisions on Identity Management for Cloud-Based Automation

Decision ID

Design Decision

Design Justification

Design Implication

CBA-IAM-SEC-001

Limit the use of local accounts for interactive or API access and solution integration.

Local accounts are not specific to user identity and do not offer complete auditing from an endpoint back to the user identity.

You must define and manage service accounts, security groups, group membership, and security controls in Active Directory.

CBA-IAM-SEC-002

Limit the scope and privileges for accounts used for interactive or API access and solution integration.

The principle of least privilege is a critical aspect of access management and must be part of a comprehensive defense-in-depth security strategy.

You must define and manage custom roles and security controls to limit the scope and privileges used for interactive access or solution integration.

CBA-IAM-SEC-003

Assign Cloud-Based Automation organization, service, and project roles to designated Active Directory users.

To provide access to Cloud-Based Automation services, you assign Active Directory users to organization and service roles.

None.

Table 24. Design Decisions on Service Accounts for Cloud Accounts in VMware Aria Automation Assembler

Decision ID

Design Decision

Design Justification

Design Implication

CBA-CA-SEC-001

Define a custom vCenter Server role for VMware Aria Automation Assembler that has minimum privileges required to support a vCenter Server cloud account.

VMware Aria Automation Assembler integrates with VI workload domain vCenter Server instances using a minimum set of privileges required to support the cloud account.

  • You must maintain the privileges required by the custom vSphere role.

  • If additional VI workload domain vCenter Server instances are not in the same vCenter Single Sign-On domain, the custom role must be applied to each vCenter Single Sign-On domain.

CBA-CA-SEC-002

Create and assign the custom vCenter Server role to an Active Directory user account as a service account for each VI workload domain vCenter Server instance for application-to-application communication between VMware Aria Automation Assembler and vCenter Server.

Provides the following access control features:

  • VMware Aria Automation Assembler accesses each VI workload domain vCenter Server instance with a minimum set of permissions.

  • If there is a compromised account, the accessibility to the destination cloud account remains restricted.

  • You can introduce an improved accountability in tracking request-response interactions between VMware Aria Automation Assembler and the vCenter Server endpoint in the cloud account.

You must maintain the life cycle, availability, and security controls for the account in Active Directory.

CBA-CA-SEC-003

Create and assign the NSXEnterprise admin role to an Active Directory user account as a service account for each VI workload domain NSX Manager instance for application-to-application communication between VMware Aria Automation Assembler and NSX.

Provides the following access control features:

  • VMware Aria Automation Assembler accesses each VI workload domain NSX Manager with the minimum set of required permission.

  • If there is a compromised account, the accessibility to the destination cloud account remains restricted.

  • You can introduce an improved accountability in tracking request-response interactions between VMware Aria Automation Assembler and the NSX Manager endpoint in the cloud account.

You must maintain the life cycle, availability, and security controls for the account in Active Directory.

Table 25. Design Decisions on Service Accounts for VMware Aria Automation Orchestrator

Decision ID

Design Decision

Design Justification

Design Implication

CBA-VRO-SEC-001

Define a custom vCenter Server role for VMware Aria Automation Orchestrator that has minimum privileges required to support adding VI workload domain vCenter Server instances.

VMware Aria Automation Orchestrator integrates with VI workload domain vCenter Server instances by using the minimum set of privileges required to support the vCenter Server registration.

  • You must maintain the privileges required by the custom vSphere role.

  • If additional VMware Cloud Foundation instances are not in the same vCenter Single Sign-On domain, the custom role must be applied to each vCenter Single Sign-On domain.

  • VMware Aria Automation Orchestrator requires the Administrator level privilege to register a vCenter Server instance and can not be a restricted account. After the addition of VI workload domain, you can update and reduce the privileges for the custom role.

CBA-VRO-SEC-002

Create and assign the custom vCenter Server role to an Active Directory user account as a service account for each VI workload domain vCenter Server instance for application-to-application communication between VMware Aria Automation Orchestrator and vCenter Server.

Provides the following access control features:

  • VMware Aria Automation Orchestrator services access VI workload domain vCenter Server instances with the minimum set of required permissions.

  • If there is a compromised account, the accessibility to the destination integration remains restricted.

  • You can introduce an improved accountability in tracking request-response interactions between VMware Aria Automation Orchestrator and the vCenter Server instances.

You must maintain the life cycle, availability, and security controls for the account in Active Directory.

Table 26. Design Decisions on Password Policies for Cloud Proxy and Cloud Extensibility Proxy Appliances

Decision ID

Design Decision

Design Justification

Design Implication

CBA-CDP-SEC-001

Configure the local user password expiration policy for each Cloud Proxy instance.

  • You configure the local user password expiration policy for each Cloud Proxy instance to align with the requirements of your organization which might be based on industry compliance standards.

  • The local user password expiration policy is applicable to the root account for the Cloud Proxy appliance.

You must manage the local user password expiration settings on each Cloud Proxy instance by using the appliance console.

CBA-CDP-SEC-002

Configure the local user password complexity policy for each Cloud Proxy instance.

  • You configure the local user password complexity policy for each Cloud Proxy instance to align with the requirements of your organization which might be based on industry compliance standards.

  • The local user password complexity policy is applicable only to the local Cloud Proxy appliance users.

You must manage the local user password complexity settings on each Cloud Proxy instance by using the appliance console.

CBA-CDP-SEC-003

Configure the local user account lockout policy for each Cloud Proxy instance.

  • You configure the local user account lockout policy for each Cloud Proxy instance to align with the requirements of your organization which might be based on industry compliance standards.

  • The local user account lockout policy is applicable only to the local Cloud Proxy appliance users.

You must manage the local user account lockout settings on each Cloud Proxy instance by using the appliance console.

CBA-CEP-SEC-001

Configure the local user password expiration policy for each Cloud Extensibility Proxy instance.

  • You configure the local user password expiration policy for each Cloud Extensibility Proxy instance to align with the requirements of your organization which might be based on industry compliance standards.

  • The local user password expiration policy is applicable to the root account for the Cloud Extensibility Proxy appliance.

You must manage the local user password expiration settings on each Cloud Extensibility Proxy instance by using the appliance console.

CBA-CEP-SEC-002

Configure the local user password complexity policy for each Cloud Extensibility Proxy instance.

  • You configure the local user password complexity policy for each Cloud Extensibility Proxy instance to align with the requirements of your organization which might be based on industry compliance standards.

  • The local user password complexity policy is applicable only to the local Cloud Extensibility Proxy appliance users.

You must manage the local user password complexity settings on each Cloud Extensibility Proxy instance by using the appliance console.

CBA-CEP-SEC-003

Configure the local user account lockout policy for each Cloud Extensibility Proxy instance.

  • You configure the local user account lockout policy for each Cloud Extensibility Proxy instance to align with the requirements of your organization which might be based on industry compliance standards.

  • The local user account lockout policy is applicable only to the local Cloud Extensibility Proxy appliance users.

You must manage the local user account lockout settings on each Cloud Extensibility Proxy instance by using the appliance console.

Table 27. Design Decisions on Password Management for Cloud Proxy and Cloud Extensibility Proxy Appliances

Decision ID

Design Decision

Design Justification

Design Implication

CBA-CDP-SEC-004

Change the Cloud Proxy root password on a recurring or event-initiated schedule.

By default, the password for the Cloud Proxy root account expires every 90 days.

None.

CBA-CEP-SEC-004

Change the Cloud Extensibility Proxy root password on a recurring or event-initiated schedule.

By default, the password for the Cloud Extensibility Proxy root account expires every 365 days.

None.

Table 28. Design Decisions on Certificates for VMware Aria Automation Orchestrator

Decision ID

Design Decision

Design Justification

Design Implication

CBA-CEP-SEC-002

Use a certificate authority signed certificate containing the FQDN of the Cloud Extensibility appliance.

Ensures that all communications between the components and to the externally facing browser-based UI and API are encrypted.

  • Using certificates signed by a certificate authority might increase the deployment preparation time as certificate requests are generated and delivered.

  • You must manage the life cycle of the certificate.

CBA-CEP-SEC-003

Use a SHA-2 or higher algorithm for certificate signing.

The SHA-1 algorithm is considered less secure and has been deprecated.

Not all certificate authorities support SHA-2 or higher.

Table 29. Design Decisions on Trusted Certificates for VMware Aria Automation Orchestrator

Decision ID

Design Decision

Design Justification

Design Implication

CBA-CEP-SEC-004

Import the certificate authority root certificate to the VMware Aria Automation Orchestrator instance.

  • Ensures that the certificate for each VI workload domain vCenter Server instance is trusted by the VMware Aria Automation Orchestrator instance.

  • Ensures that other endpoints with certificates issued from the same certificate authority, for example, NSX Manager, are trusted.

If the certificate authority certificate is reissued, you must import an updated certificate to the VMware Aria Automation Orchestrator instance.